From e1c0f409c361f1de34a664940c4360ef17a7529a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charlotte=20=F0=9F=A6=9D=20Delenk?= Date: Thu, 7 Nov 2024 08:51:24 +0100 Subject: [PATCH] fix root ssh secrets --- .sops.yaml | 4 +-- programs/ssh/builders.nix | 28 +++++++++++++++------ programs/ssh/home-manager.nix | 14 ++++++++--- programs/ssh/shared-keys.yaml | 47 +++++++++++++++++++++-------------- users/root/default.nix | 19 ++++++++++---- users/root/system.yaml | 5 ++-- 6 files changed, 76 insertions(+), 41 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index dfa0e9a5..5a6a1a3b 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -2,7 +2,6 @@ keys: - &base age1tltjgexkp5fz3rum4j0k66ty5q4u8ptvkgkepumd20zal24g2qfs5xgw76 - ¬522 age1emv3kzvwgl36hgllrv7rlekqy3y3c6eztadl3lv09ks3z9vv6vdqw06yqa - &pc-installer age1eh2vd6cdy23qazwg0hzq95pn9e6p8yaqu4g6zyan8gzal4x5ed5qful8kg - - &root age1pcdyf483yl2r8wny30yxsp9yusgder6vra7yrf7qjqn5fjhcxeaq3342ew - &darkkirb age15g6tzvcmcp3ae4hwnn4pwewat6eq9unlhtjrlaka6rf94ej9dd5qqpgt7u creation_rules: @@ -31,6 +30,7 @@ creation_rules: - path_regex: programs/ssh/shared-keys.yaml$ key_groups: - age: - - *root - *darkkirb - *base + - *not522 + - *pc-installer diff --git a/programs/ssh/builders.nix b/programs/ssh/builders.nix index d8224a9c..0c43551c 100644 --- a/programs/ssh/builders.nix +++ b/programs/ssh/builders.nix @@ -1,39 +1,51 @@ -{config, ...}: { +{ + config, + systemConfig, + lib, + ... +}: let + identityFile = + if config.home.username == "root" + then systemConfig.sops.secrets.".ssh/builder_id_ed25519".path + else config.sops.secrets.".ssh/builder_id_ed25519".path; +in { programs.ssh = { enable = true; matchBlocks = { "build-nas" = { hostname = "nas.int.chir.rs"; identitiesOnly = true; - identityFile = config.sops.secrets.".ssh/builder_id_ed25519".path; + inherit identityFile; port = 22; user = "remote-build"; }; "build-rainbow-resort" = { hostname = "rainbow-resort.int.chir.rs"; identitiesOnly = true; - identityFile = config.sops.secrets.".ssh/builder_id_ed25519".path; + inherit identityFile; port = 22; user = "remote-build"; }; "build-aarch64" = { hostname = "instance-20221213-1915.int.chir.rs"; identitiesOnly = true; - identityFile = config.sops.secrets.".ssh/builder_id_ed25519".path; + inherit identityFile; port = 22; user = "remote-build"; }; "build-riscv" = { hostname = "not522.tailbab65.ts.net"; identitiesOnly = true; - identityFile = config.sops.secrets.".ssh/builder_id_ed25519".path; + inherit identityFile; port = 22; user = "remote-build"; }; }; }; - sops.secrets.".ssh/builder_id_ed25519" = { - mode = "600"; - sopsFile = ./shared-keys.yaml; + sops.secrets = lib.mkIf (config.home.username != "root") { + ".ssh/builder_id_ed25519" = { + mode = "600"; + sopsFile = ./shared-keys.yaml; + }; }; } diff --git a/programs/ssh/home-manager.nix b/programs/ssh/home-manager.nix index 26defbcf..b3dd0f9d 100644 --- a/programs/ssh/home-manager.nix +++ b/programs/ssh/home-manager.nix @@ -1,6 +1,7 @@ { lib, config, + systemConfig, ... }: { imports = [ @@ -10,12 +11,17 @@ controlMaster = "auto"; controlPersist = "10m"; matchBlocks."*" = lib.hm.dag.entryAfter ["build-nas" "build-rainbow-resort" "build-aarch64" "build-riscv"] { - identityFile = config.sops.secrets.".ssh/id_ed25519_sk".path; + identityFile = + if config.home.username == "root" + then systemConfig.sops.secrets.".ssh/id_ed25519_sk".path + else config.sops.secrets.".ssh/id_ed25519_sk".path; }; enable = true; }; - sops.secrets.".ssh/id_ed25519_sk" = { - mode = "600"; - sopsFile = ./shared-keys.yaml; + sops.secrets = lib.mkIf (config.home.username != "root") { + ".ssh/id_ed25519_sk" = { + mode = "600"; + sopsFile = ./shared-keys.yaml; + }; }; } diff --git a/programs/ssh/shared-keys.yaml b/programs/ssh/shared-keys.yaml index 6134dc63..7eb8de2b 100644 --- a/programs/ssh/shared-keys.yaml +++ b/programs/ssh/shared-keys.yaml @@ -7,32 +7,41 @@ sops: azure_kv: [] hc_vault: [] age: - - recipient: age1pcdyf483yl2r8wny30yxsp9yusgder6vra7yrf7qjqn5fjhcxeaq3342ew - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1OGN5azZvMFZlY0wxZ0xX - b2lGakZzY1FCdnhTZlU0RTB3aUVhUlROYTJJCnlZdDk1K28wTjBVR09rVlRLT3J3 - WU1FeDJWRlNjb2lyMGpCVVlJYVhLNGcKLS0tIEt1VVlkY3FsYk1aeUcvaFlDS3Ju - SFVHWnpMdXlQcXdaNUtwOUh3Sjg1YUEKEiO3ohjqoNg5lu/2Yyg07HMuvo+qtsMR - 2e0CBnuUT8g2kIsN8IYgY6sMX3yNvpuL0AmjiL+ncF/w38JFBzJmCw== - -----END AGE ENCRYPTED FILE----- - recipient: age15g6tzvcmcp3ae4hwnn4pwewat6eq9unlhtjrlaka6rf94ej9dd5qqpgt7u enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4UkcrcENqckkxcXJHcG0z - b0hzZ0JPWjg4RjREMENmeVRyUmJvNWc2WVhJCkVoM3lhb2VpUXUvNTR2K2pwUVVU - MzRrMm5XWTRSdXppcXdvWmlYWXNrcEEKLS0tIG92c3VOYkVvRG1Bd0Z6U2ZZRG14 - dHQvc3JMU0JRUEFNWHVjQkNOYmdYQzAKSWERLI8m2IzLdmGCel7ca12JeOTBm5mg - qmjtjTTRRZc+decLAgpZd0CUza3hZcJjRWyKUXP4yeItCaAmOgJ7VQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxeUl2SHFQVDZEUnB6aGtT + dnh4V3JObG5QVTFNWUJZNEVCZ0ZSN0RrZXdrCmZLeHVEMTl5Uk13eVZzZUhYQUpV + ZEFjWGtvQXB4S0lPNTF6dkRuTURCaE0KLS0tIGxTRXBBQ3kvUjUya05YREUrRDVR + dHJLcWF3QTBNNTNMTElPckZsNTVuZlkKv+O1BXdVBAhQA98crwWC8h5EHy8XT7FZ + PB7KEKxI/K5Gk+mBEYmipU1sUIgDOlZxXqC1kDKdmZmhHbKDEC2irQ== -----END AGE ENCRYPTED FILE----- - recipient: age1tltjgexkp5fz3rum4j0k66ty5q4u8ptvkgkepumd20zal24g2qfs5xgw76 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqWVZVRXoyVSsyMlVEU3NF - SHFMMGVVeHdMcUtvQ0ZNdHFzYlI4ZjdNL1hnCnFQK0pzaGovTHV0K1A3cUtEQVRE - N09hZ1BjUEtnbGdaWTJQSXJHMHZQaW8KLS0tIDlZc2RteFgycnhrMFdSR0RjOTBK - SEtJZWVEZ3dsbkUyM09JVnI1WnN6RXcK+odcorNYMvm21CWVDlO48ubj3X3nuhRh - m0giyDyxRRXFye7XptZayT64Vcx6wRXXMm3SOZL2BVwuLibZeIagrg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQVHlBeHJTODVBQ1hhYkFF + emFWczVmblR6VW5rbkF6MnUwejA3Wjc3aXpBCmI2Wm1xc2VFeDdXcUZEN0dJOWF0 + V3RON2FKY1U4YmhPQldTWWNZaUZ5dEUKLS0tIDJRQVJreE9JV0FLcnRWQzhFRGtK + cFhyUlBMQVg1a2pPdXI3SW5KSmsvNVUK86u53KET36rjOqB7Ecp//vk+fr7sSxyR + luP5xkQKNCECQxsSMuFO3T4qY8Kso93mO9vajv51rXBOK/8mQ2Q/CQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1emv3kzvwgl36hgllrv7rlekqy3y3c6eztadl3lv09ks3z9vv6vdqw06yqa + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVQlVwem1tQ3NqSHViQm1a + bkR2MnVZT1ZLM0Q2V0tiUEg4UC8zTjBIbUFNCkZ4REhYb2hNTFFCSFF0VmZnbSty + SklVZ0JQWXRka0pSajV2TlU1aUJSeVEKLS0tIHFEWHdteW50WVArcmtISEFoNTVa + d3hwK2F1VVNWbUxpZmY3cjNKMHd3L1kKyqHhER26gbDrmn+bDHVlhG3/MP5hL2OF + OuqVrOI1wBFwFN5BCbSnvnG4QOkqFnhh9O+zmGzPfw95nsLVF2wjng== + -----END AGE ENCRYPTED FILE----- + - recipient: age1eh2vd6cdy23qazwg0hzq95pn9e6p8yaqu4g6zyan8gzal4x5ed5qful8kg + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1VzA2VUNoRVFNNUlaTyt1 + VEVyRmJxYlBPZ2RwQkFKU2JFbDEyYU8wZjE4Cm54a29ZaGRueFRtaHI4RXFEN1FB + U3RUYjRQM2hDY0RHd0FiZ0VBWmtwTHcKLS0tIG1sejZtWTJReVA0ZmlYVmFNSzIx + MkNpV3pYYlNCQ05QN0NyQXM3Q2Nzb00K9o3t7LNSk8A9MTGUicE1KmyQdWnBOypn + PCyV+1tAfQeDaKCHR0Wvxlfqz3EEb8KzCK1tAohxGeSJywl9PF4unQ== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-11-06T08:58:58Z" mac: ENC[AES256_GCM,data:yzeJcuRDNbPebTJ4wwT4yiOuFMplSOf/XJcdw+g04S3ELj8tWwmQszv/gYJfCTI7kfeREbggyddF/2g4T7dzwCK2dWvGNRvGz96JFvYalWwI8a1ZSDk2DCS1ahKzcXisLG1WtVqVpr7i5ttkWGUjrgcRJrekLCCHGz228JnlUvE=,iv:EQs/TLqF8Hzah5YDZ2GqSrpr8FGkZgHt/Q/4bMlWe8U=,tag:AWsIaUAphZ2g95idHnhNSQ==,type:str] diff --git a/users/root/default.nix b/users/root/default.nix index ebd66dfa..79b64489 100644 --- a/users/root/default.nix +++ b/users/root/default.nix @@ -1,4 +1,9 @@ -{config, ...}: { +{ + nixos-config, + config, + lib, + ... +}: { users.users.root = { createHome = true; openssh.authorizedKeys.keys = [ @@ -10,10 +15,14 @@ neededForUsers = true; sopsFile = ./system.yaml; }; - sops.secrets."users/users/root/age-key" = { - owner = "root"; - sopsFile = ./system.yaml; + sops.secrets.".ssh/builder_id_ed25519" = { + mode = "600"; + sopsFile = "${nixos-config}/programs/ssh/shared-keys.yaml"; }; - home-manager.users.root.sops.age.keyFile = config.sops.secrets."users/users/root/age-key".path; + sops.secrets.".ssh/id_ed25519_sk" = { + mode = "600"; + sopsFile = "${nixos-config}/programs/ssh/shared-keys.yaml"; + }; + home-manager.users.root.sops.secrets = lib.mkForce {}; environment.impermanence.users = ["root"]; } diff --git a/users/root/system.yaml b/users/root/system.yaml index 0a4461d5..e5ba7338 100644 --- a/users/root/system.yaml +++ b/users/root/system.yaml @@ -2,7 +2,6 @@ users: users: root: hashedPassword: ENC[AES256_GCM,data:ptHTZ/MHRId363TlEWNJpOMQ46dISPSQjvrqsxQzq9hmDU3oC0FO9Mtf08I9wcVa0KpIEQfSZp/AgZ7yburK9EpfBccwudRdzpCBynsRYxhbuirSAm4ANaBLyrYx1jsCXFbeNDA4xsrmfw==,iv:WIG8qv7vAIUN8MMPkPKc9sjG1CQMYk03/C2TYSDs9zY=,tag:9Vm8Grn2AtME0O329N60Bw==,type:str] - age-key: ENC[AES256_GCM,data:A0G/R9o2Qray5kk7lqwu00EOJD0mRQ5cYWRDBzvw0gMTIq+JU16m5QrXLgzK3M/oURxPbBUOC+Wy7ZdiPAHVj5i353bsVLzGi6wIuwQpL2HA0RUwcos/bBnPTcvRriErBIpMYxgkxEVvgb4NpS0523V09AiXgX5DSY/z6pmQ1ERtXl1YRW+lCRqewgUUweC4WE31iG82NDOXkPZM+oaFginQeUy0Ruy4Kya4xQjC/+pzbxRdJwQKGkf/5fLl,iv:1TnvWbolHgQgOMmOBxpqxUlKmD14oCd+Yo/Jn2AHuL8=,tag:ML2ifWFpzHHxJ4F2OQ3+jA==,type:str] sops: kms: [] gcp_kms: [] @@ -36,8 +35,8 @@ sops: MGg3ZUxqcnhzbiszb2RNVkkwNUNIbHcK/NdUErDE9xecelLx1i0MjZCKkdev+hdx ZWwQORih0fGotN9FjFQuBTc4Y0ApRy8Su52xCp1UOqM0FhnaHjwEQQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-06T08:34:07Z" - mac: ENC[AES256_GCM,data:U3+GUzxyPL7infWqht48rQ7Oe7E7Fu3WU883VZjJSKLM46ilDf0mWhpIWX7JDwhFzii/fSyF3+FsJvBDD4bcnK8L0UiS7C9z6yH9RGtOXI6is6jitfgm4qOuPP+aZa99hEDUf/ZO5uEzE/Psayf4aVAxEyL3L+SgVdiWf2MIFmk=,iv:XQavrryRBHnSf/xPMGY/lk/ep1qdRdgDtzUVwde4vXE=,tag:yWScrP9lTH1SiHpUiQuAXw==,type:str] + lastmodified: "2024-11-07T07:35:18Z" + mac: ENC[AES256_GCM,data:fGS1pQBHJ6vausZUbARxt7J/69tcFk1kkzrHLox12J+QQfgZYAm8xoue343Jw2NH+OgeYyOfAz8nKfKmZiibQIGPbV/JPkFvI7KQL7sEy7PLYLFU0cWF5DXwG4Y4z71rfgnNcX7emc2iQWwEcXMU6wM84ltkqf5zPPelvphXz+I=,iv:mVOFo1PtYVqMTvHmrmTO+eOqZ3N57kuc0KP5/XAN1b0=,tag:OJBY9qGxkVVNqJlDmDOJGQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.1